216.73.217.22

CVE-2025-32792

· Published 18/04/2025 16:15 · Modified 18/04/2025 16:15

Labels: CVE-2025-32792 2025-04-18CVE-2025-32792CWE-497[email protected]

Essential information

Published
18/04/2025 16:15
Modified
18/04/2025 16:15
Author
Creator
CVSS
8.7 HIGH (v3) 8.7 HIGH (v4.0)
CISA KEV
No
CWE
CVSS vector

CVSS metrics

Description

SES safely executes third-party JavaScript 'strict' mode programs in compartments that have no excess authority in their global scope. Prior to version 1.12.0, web pages and web extensions using `ses` and the Compartment API to evaluate third-party code in an isolated execution environment that have also elsewhere used `const`, `let`, and `class` bindings in the top-level scope of a `<script>` tag will have inadvertently revealed these bindings in the lexical scope of third-party code. This issue has been patched in version 1.12.0. Workarounds for this issue involve either avoiding top-level `let`, `const`, or `class` bindings in `<script>` tags, or change these to `var` bindings to be reflected on `globalThis`.

NVD status

Status
Received — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
github / ses cpe:2.3:a:github:ses:<1.12.0:*:*:*:*:*:*:*

References